Active Whois


How To Find the Sender's Original
IP Address Using Email Message Headers

So you'd like to to find out just who is sending those email love letters, determine the sender of a blackmail message, or just root out the source of a virus emailed to you. There are indeed many such situations where you would like to know who sent a particular email message to you. This article will teach you how to use "Email Headers" to backtrack and find the original sender's IP address. Don't worry, it's not rocket science. If it were, SPAM would still only be canned meat and an amusing Monty Python skit!

Theory...

Email messages, as in the case of their non-electronic cousins, have "envelopes" of a sort. In the case of email the envelope is composed of a series of "Headers". These are just a series of lines of characters which precede the actual email message. Email programs such as Outlook do not normally display these Headers when displaying a message. From these Headers however, the email program is able to extract important information about the message, such as the message encoding method, the creation date, the message subject, the sender and receiver, etc.

Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these "Headers" carries with it a history of its journey to your email inbox. Because of this, it's possible to determine the original IP address of the sender.

Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways. The following sequences details the way to do this using a some email systems:

As you can see on these pictures, a Header consists of two sections separated by a colon ":". The first part is the Header's name. The second is the Header's data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:

Header Name
Header Data
Sample
To: The name and email address of the recipient To: "John Doe" <JohnDoe@hotmail.com>
From: The name and email address of the sender From: "Alice Smith"<alice123@aol.com>
Date: Date the message was created Date: 1 Nov 2004 22:49:20 -0000
Subject: The subject of the message which follows the Headers Subject: How are you?
Return-Path: The email address for responding to the message Return-Path: <alice.smith@anydomain.com>
Received: Delivery stamp Received: from [67.66.123.205]
     by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT

In some cases, a number of these Headers may not be necessary. To determine the address of origin, special attention must be paid to the 'Received:' Headers. These Headers are selected on our screenshot illustration. 'Received' Headers have the following format:

  Received: from [computer name and/or IP address from sender]
         by [server name] (maybe Internet protocol too); date.

Sample:
   Received: from [67.66.123.205]
         by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT

      Briefly this means that the server web41013.mail.yahoo.com received the message from the IP address 67.66.123.205 on the 25th of April 2004, at 11:13:34 pm PDT via the HTTP protocol (i.e. through the web).

So, we have observed, it is from the 'Received' Header that we retrieve the IP address or domain name. Using this IP address, Active Whois is able to look up additional information such as associated postal and email addresses. You can easily select and copy the IP address from the Outlook Internet Headers box by using CTRL-C to place it on the clipboard.

We are faced with an additional problem however. Email messages frequently contain more than one 'Received' Headers. How can we know which of these several Headers contains the originating IP address belonging to the sender? 'Received' Headers are appended to the front of the email message as it travels through the internet to your email inbox. The flow diagram below will show you how these 'Received' Headers are appended to the message as we travel backwards from the receiver to the sender:

email receiver

The Recipient's mailbox receives his message from his POP3 or webmail server. No new 'Received' Header is added at this stage.

Headers from the top of Headers sequence:
email server

The Recipient's email server (POP3, Yahoo, Hotmail, etc.) receives the email message from the original sender's server. (e.g. bay15.hotmail.msn.com)

  • A 'Received: from [sender mail server] by [recipient mail server]' field is appended to the top of the current sequence of Header strings.
  • Any previous 'Received' Headers will appear below this new one .
  • The newest 'Received:' Header at the top of the sequence of Headers now contains the IP address belonging to the email server of the sender; (e.g. Hotmail.com) It is not the true IP address of the sender himself.

Received: from bay15.hotmail.com (HELO hotmail.com) (65.54.185.39)
     by mail2.aol.com with SMTP; 30 Sep 2004 02:27:02 -0000

arrow down

email server

The sender's email server receives an email message from the sender's computer.

  • The first 'Received' Header containing the true IP address of the sender(e.g. 203.172.49.180), is appended to the message, appearing now at the very top of the sequence of Headers.
  • As the message travels over the Internet, new 'Received' fields will be appended to the top of the sequence of Headers. This means that the sender's actual IP address will always be in the very bottommost "Received:" Header.

Received: from 203.172.49.180 by bay15.hotmail.msn.com with HTTP;
     Thu, 30 Sep 2004 02:26:37 GMT

arrow down

email sender

The Sender sends an email message to his own email server to begin its journey to the receiver. A common Headers strings is created.

From: "John Doe" <JohnDoe@hotmail.com>
To: "Alice Smith"<alice123@aol.com>
Subject: Nice meeting!
Date: Thu, 30 Sep 2004 02:26:37 +0000

There are other possible variations in email routing. Your Email Service Provider (or the provider of the sender) may use several 'pass-through' email servers and these servers can add several 'Received' Headers. Also, if you and the sender use the same server, the message will have only one 'Received' Header.

Practice... or tips for traps

Unfortunately there are those who for various reasons want to conceal their IP address from the message receiver. About 95% of Internet email is composed of spam, viruses and other types of illicit material. Most spammers use clever tricks to hide their true IP address. They can, for example, place fake 'Received' headers into the email headers. They might look something like the following:

Received: from %RNDUCCHAR1524 (j236.128.26.76.%RNDLCCHAR15357.ti.yahoo.com 96.208.178.254)
     by mail08.t.yahoo.com (47.1.777akv719/%RNDDIGIT12.4.50) with SMTP id fwf54N4Wnto%RNDDIGIT15;
     Wed, 06 Oct 2004 09:22:39 +0500

In this example, symbols such as %RNDDIGIT12 or %RNDLCCHAR15357 seem like instructions to a mass-mailer application to insert RaNDom CHARacters or DIGITS to confuse you as well as your anti-spam filter. In this case, the true sender IP could be in the first 'Received' Header, that is, the one that was inserted by your email service provider's email server, because most spammers send their messages directly to your mailbox without using any intermediate servers. In this case only one of the 'received' Headers can be the one we're looking for. Once we find it, we can conclude that all of the others are fake.

We may safely conclude that since there are often several 'Received' headers in an email message, servers deliver email using a 'chained' process. For that reason the sender indicated in the current 'Received' Header should always correspond directly to the server indicated in the previous Received' Header!

It is also useful to check the DNS of senders by using Active Whois. 'Received:' Headers with random domain names will never resolve to random IP addresses.

While viruses have not yet attained this level of deviousness, you can easily retrieve the IP address administrator email from Active Whois and quickly stem a new virus outbreak by warning the administrator that someone sent numerous viruses to you using his server.

Some additional facts in conclusion:

There is a useful Header: 'X-Mailer' that not only specifies the email program of the sender, but allows you to indicate what message was originally sent by the email bot, and whether this Header is currently missing from the message.

The email address of sender can be easily faked. The SMTP (Simple Mail Transfer Protocol) by which email is handled, allows this deception because it doesn't verify all Headers such as the 'From' Header that contains email address of sender.


Home |  News |  Order |  E-mail

This site had visitors

Copyright 1999-2022 © by Ivan Mayrakov
All rights reserved.
Windows ® are trademark of Microsoft Corporation.